This rule detects credential phishing emails that attempt to harvest user credentials by impersonating Microsoft/Windows branding via an inline SVG. It operates on inbound messages and uses a two-part check: (1) link text analysis where the display_text (after confusable character normalization) contains a W-2 reference (captured with a fuzzy regex that tolerates obfuscated forms like W, VV with optional spaces/hyphens); and (2) HTML body analysis that looks for an inline SVG constructed from four colored rectangles designed to mimic the Windows logo. The SVG pattern is defined with specific hex color ranges to accommodate minor campaign variations while preserving the Windows motif. This inline SVG approach is intended to evade image-based detection. The rule is categorized under credential phishing and uses content and HTML analysis as detection methods. Tactics/techniques include Evasion, HTML smuggling, and Social engineering to deliver a convincing brand impersonation. The overall goal is to prompt credential submission by leveraging a W-2 lure embedded in email content across threads.